Information Technology

PURPOSE

This policy outlines the acceptable use of information resources at Wittenberg University and applies to all members of the Wittenberg community including, but not limited to faculty & staff, contractors, consultants, temporary employees, and those affiliated via third party contractors. This policy applies to all data and equipment that is owned or leased by Wittenberg University.

The purpose of this policy is to protect staff, faculty, students, partners, and the University against internal and/or external exposure of confidential information, malicious activity, including the compromise of systems and services, legal issues, financial loss, and damage to reputation by individuals, either knowingly or unknowingly.

SCOPE

Personnel using data and information resources (including but not limited to Internet/Intranet/Extranet-related and core systems, computer equipment, software, operating systems, storage media, and network accounts providing electronic messaging), must use them for business purposes in accordance with their job functions and responsibilities, serving the interests of the University and the customers in a legal, ethical, responsible, and secure manner, with respect for the rights of others.

POLICY

It is the responsibility of every user of information resources to know the Information Security Policies, Data Governance policies and the acceptable use of information resources, and to conduct their activities accordingly.

General Use

• Safeguard user accounts and passwords, and use them only as authorized
• Respect all pertinent licenses, copyrights, contracts, as well as other restricted and proprietary resources
• To accommodate users, Wittenberg University understands users will access the Internet for personal needs periodically
• It is expected that users will exercise good judgment regarding the reasonableness of personal use and any questions regarding appropriate use will be decided by management.
• Notify the appropriate system, network and/or security administrator(s) of any suspected or actual security violations/incidents.
• Secure all unattended workstations from unauthorized viewing or use.
• All workstations must be configured to automatically lock after 30 minutes of inactivity, and users should log off or lock their machines during extended periods of inactivity.

Unacceptable Use

The following unacceptable activities are by no means exhaustive, but attempt to provide a framework for activities that are strictly prohibited:

• Damaging computer systems
• Preventing another user from authorized resources
• Revealing account passwords to others. Users who receive usernames and passwords must keep their usernames and passwords confidential and must not share that information with others.
• Using another person's computer account, with or without their permission
• Providing information about other users to parties outside the University
• Providing protected students, faculty, staff or vendor information to any unauthorized person
• Intentionally corrupting, misusing, or stealing software or any other computing resource
• Sending unsolicited (spam) electronic messaging (e.g., email) and chain letters
• Forging electronic messaging header information
• Using electronic messaging, telephone or other communication method, to actively engage in procuring, viewing, or transmitting material that is in violation of sexual harassment or hostile workplace laws or other University policies.
• Accessing, editing, deleting, copying, or forwarding files or communications of another user in any media (e.g., paper, electronic, video, etc.), unless assigned as a job requirement or with prior consent from the file owner
• Deleting, editing, or copying files in another person's computer or electronic messaging account
• Illegal use, including duplication or distribution of copyrighted or University proprietary material, including electronic, hardcopy, audio, and video in any medium
• Users are forbidden to install software on their computers without the prior approval of their manager and the CIO.
• Procurement of or use of any Software as a Service (SaaS) or other cloud services without the approval of Information Technology
• Implementation of any information technology component, product or service without the approval of and involvement from IT
• Removing software from systems, unless assigned as a job requirement or prior consent from Information Technology is obtained
• Circumventing any of the information security measures of any host, network or account without approval from a member of the senior staff for emergency business purposes
• Using resources for personal benefit
• Introducing malicious programs into the information systems
• Unauthorized modification of configuration files
• Knowingly executing a program that may hamper normal activities without prior authorization
• Operating a wireless network or allowing other computers to connect to your computer wirelessly
• Users must not reveal any information about the University’s clients, staff, faculty or students, which is not already publicly available without expressed written permission from their manager
• Unauthorized disclosure of confidential information to individuals outside the University and to individuals within the University without a business need, legal or regulatory requirement
• Disclosure of Personally Identifiable Information (PII) such as social security numbers, bank/credit card numbers, driver’s license/id numbers, etc. and any other information classified as confidential, personal or sensitive to any unauthorized individual within the University without a business need
• Disclosure of PII to any individual outside of the University unless there is a legal or regulatory requirement
• Unencrypted transmission of PII (and confidential, personal and sensitive information), trade secrets, proprietary financial information and financial account numbers such as in the body of or an attachment to an electronic message, via File Transfer Protocol (FTP), via instant messenger or via fax
• Storing confidential information including PII (and confidential, personal, and sensitive information), trade secrets, proprietary financial information or financial account numbers on laptop computers and mobile computing devices unless no alternative exists and then it must be encrypted
• Unlawful content or application downloads from the internet are strictly forbidden. If downloads are required for business use, contact IT for proper arrangements
• Under no circumstance is a user authorized to engage in any activity deemed illegal by international, federal, state, or other local laws while utilizing University’s assets
• Under no circumstances may a user disable anti-virus software or alter anti-virus software settings
• Under no circumstances may a user disable firewall software or alter firewall software settings
• Users shall not open any electronic messaging attachments that are not expected, or are from unknown addresses, or appear in any way suspicious
• Users must not perform vulnerability scans, monitor network traffic, attempt to elevate rights or privileges, or gain access to information not expressly intended for them
• Users must be extremely cautious about the use of instant message applications, as these applications are insecure. Sensitive information must not be shared through this mechanism

To ensure compliance with this policy, Wittenberg University may perform periodic monitoring of systems, networks, and associated equipment at any time. Personnel using any Wittenberg University information resources consent to disclose the contents of any files or information stored or passed-through the University’s equipment. All data contained on or passing through the University’s assets is subject to monitoring and remains the property of the University.

Other provisions:

• Supervisors must provide explicit approval to users who need IT resources to do their jobs.
• The CIO must provide explicit approval to third parties to use IT resources.
• The CIO must provide explicit approval to any user or third party wishing to add a new device to the network
• Multi-factor authentication (MFA) is required in order to use all core applications
• Users must not access unauthorized systems or data resources, or utilize functions that are not necessary for the performance of the user’s duties
• IT shall maintain a list of all University owned devices and personnel with access to the University distributed computing environment.
• IT shall ensure all University owned devices are labeled with at least the name of the owner, contact information and purpose
• A list of acceptable uses of technology and acceptable network locations shall be maintained by IT
• The University procurement department shall maintain the definitive list of all University approved products.

Enforcement

Personnel using Wittenberg University’s information resources in opposition to this policy may be subject to limitations on the use of these resources, suspension of privileges (including internet access), as well as disciplinary and/or legal action, including termination of employment.

Staff, students, faculty, contractors, consultants, temporary employees, volunteers, and all personnel affiliated via third parties shall sign an agreement to comply and be governed by this policy and the Wittenberg University Information Security Policies and handbooks relevant to each user on an annual basis

For staff with access to credit card data or sensitive information, background checks will be performed.

RELATED REGULATIONS

This policy is a component of Wittenberg University information security program that is intended to comply with the PCI-DSS, FERPA, Gramm Leach Bliley Act and other regulations.

EXCEPTIONS

Only the Chief Information Officer (CIO) or a designated appointee is authorized to make exceptions to this policy. Any requests for exceptions shall be made using the “Request for Policy Exception” form and a copy maintained by the CIO.

VIOLATIONS

Any user found to have violated this policy may be subject to disciplinary action, up to and including notifying the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. A Supervisor, Department Manager, Dean, or Vice President will address violations of this policy by faculty and staff members and have full authority to sanction an immediate stop to the actions in question. Appeals from any formal disciplinary action taken against a staff member must follow the appeal procedures outlined in the Employee Manual. The Vice President of Student Development (or designee) will address violations of this policy by students.

DISCLAIMER

The University makes no warranties of any kind, whether expressed or implied, with respect to the information technology services it provides. The University will not be responsible for damages resulting from the use of communication facilities and services, including, but not limited to, loss of data resulting from delays, non-deliveries, missed deliveries, service interruptions caused by the negligence of a University staff, or by the user's error or omissions. Use of any information obtained via the Internet is at the user's risk. The University specifically denies any responsibility for the accuracy or quality of information obtained through its electronic communication facilities and services, except material represented as an official University record. The University also does not accept responsibility for removing material that some users may consider defamatory or otherwise offensive. Users are advised, however, that dissemination of such material may subject them to liability in other forums.

RESPONSIBILITIES

REVISION HISTORY

This section contains comments on any revisions that were made to this document and the date they were made.